[selinux-policy/f15/master] - Add syslogd_exec_t label for systemd-kmsg-syslogd - ipsec_mgmt_t wants to cause ipsec_t to dump co
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 22 22:43:57 UTC 2011
commit 6c503a26d70610f2fe8cfefbaf59d4830eec34ed
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 22 23:37:41 2011 +0000
- Add syslogd_exec_t label for systemd-kmsg-syslogd
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
- Allow rythmbox and other apps to share music over daap port
- Allow qemu and pulseaudio to work together
- Allow httpd to create socket file in /tmp
- Allow tuned to write to sysfs
- Allow systemd_tmpfiles to send kernel messages
- Add a dev_filetrans to readahead_manage_pid_files so any callers can
- mrtg needs to be able to create /var/lock/mrtg
- Add label for /usr/share/shorewall/getparams
- xdm needs to read KDE config files
- Smolt needs to look at urand and read hwdata
- google talk plugin in nsplugin is listing the contents
- Add support for KDE ksysguardprocesslist_helper
- Add support for a new cluster service - foghorn
- gnome-control-center reads colord lib files when monitor is plugged
policy-F15.patch | 796 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 20 ++-
2 files changed, 540 insertions(+), 276 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index b7ffee0..a472ae6 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -923,10 +923,23 @@ index 5671977..24a6ad6 100644
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
-index 0e19d80..9d58abe 100644
+index 0e19d80..54c3ea2 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
-@@ -115,6 +115,7 @@ selinux_dontaudit_getattr_dir(mrtg_t)
+@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+ dontaudit mrtg_t mrtg_etc_t:dir write;
+ dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+
++manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+ manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+ manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
++files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
+
++manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+ manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+ logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
+
+@@ -115,6 +118,7 @@ selinux_dontaudit_getattr_dir(mrtg_t)
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
@@ -1393,10 +1406,10 @@ index 7077413..56d1ecb 100644
+
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
-index 47c4723..ca58272 100644
+index 47c4723..c1bed2b 100644
--- a/policy/modules/admin/readahead.if
+++ b/policy/modules/admin/readahead.if
-@@ -1 +1,40 @@
+@@ -1 +1,42 @@
## <summary>Readahead, read files into page cache for improved performance</summary>
+
+########################################
@@ -1433,7 +1446,9 @@ index 47c4723..ca58272 100644
+ type readahead_var_run_t;
+ ')
+
++ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
++ dev_filetrans($1, readahead_var_run_t, { dir file })
+ files_search_pids($1)
+')
+
@@ -2185,7 +2200,7 @@ index 8966ec9..a3928ef 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
-index bc00875..b47c0f4 100644
+index bc00875..819a10b 100644
--- a/policy/modules/admin/smoltclient.te
+++ b/policy/modules/admin/smoltclient.te
@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
@@ -2196,7 +2211,15 @@ index bc00875..b47c0f4 100644
type smoltclient_tmp_t;
files_tmp_file(smoltclient_tmp_t)
-@@ -46,6 +45,7 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -39,6 +38,7 @@ corecmd_exec_shell(smoltclient_t)
+ corenet_tcp_connect_http_port(smoltclient_t)
+
+ dev_read_sysfs(smoltclient_t)
++dev_read_urand(smoltclient_t)
+
+ fs_getattr_all_fs(smoltclient_t)
+ fs_getattr_all_dirs(smoltclient_t)
+@@ -46,15 +46,21 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)
@@ -2204,7 +2227,10 @@ index bc00875..b47c0f4 100644
files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
-@@ -55,6 +55,10 @@ logging_send_syslog_msg(smoltclient_t)
+
+ logging_send_syslog_msg(smoltclient_t)
+
++miscfiles_read_hwdata(smoltclient_t)
miscfiles_read_localization(smoltclient_t)
optional_policy(`
@@ -3269,10 +3295,10 @@ index 0000000..f4c2d3f
+ policykit_dbus_chat(firewallgui_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..1354800 100644
+index 00a19e3..55075f9 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,34 @@
+@@ -1,9 +1,36 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -3300,6 +3326,8 @@ index 00a19e3..1354800 100644
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
++
+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
@@ -3308,12 +3336,12 @@ index 00a19e3..1354800 100644
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-+
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..65118f7 100644
+index f5afe78..fd92093 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,521 @@
+@@ -1,43 +1,523 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -3382,13 +3410,15 @@ index f5afe78..65118f7 100644
+ class dbus send_msg;
+ ')
+
-+ type gkeyringd_$1_t, gnome_domain, gkeyringd_domain;
-+ application_domain(gkeyringd_$1_t, gkeyringd_exec_t)
-+ ubac_constrained(gkeyringd_$1_t)
++ type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
++ typealias $1_gkeyringd_t alias gkeyrind_$1_t;
++ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
++ ubac_constrained($1_gkeyringd_t)
++ domain_user_exemption_target($1_gkeyringd_t)
+
-+ role $2 types gkeyringd_$1_t;
++ role $2 types $1_gkeyringd_t;
+
-+ domtrans_pattern($3, gkeyringd_exec_t, gkeyringd_$1_t)
++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
@@ -3396,31 +3426,31 @@ index f5afe78..65118f7 100644
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
-+ corecmd_bin_domtrans(gkeyringd_$1_t, $1_t)
-+ corecmd_shell_domtrans(gkeyringd_$1_t, $1_t)
-+ allow gkeyringd_$1_t $3:process sigkill;
-+ allow $3 gkeyringd_$1_t:fd use;
-+ allow $3 gkeyringd_$1_t:fifo_file rw_fifo_file_perms;
++ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
++ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
++ allow $1_gkeyringd_t $3:process sigkill;
++ allow $3 $1_gkeyringd_t:fd use;
++ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
-+ ps_process_pattern(gkeyringd_$1_t, $3)
++ ps_process_pattern($1_gkeyringd_t, $3)
+
-+ ps_process_pattern($3, gkeyringd_$1_t)
-+ allow $3 gkeyringd_$1_t:process { ptrace signal_perms };
++ ps_process_pattern($3, $1_gkeyringd_t)
++ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
-+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_$1_t)
++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
-+ allow gkeyringd_$1_t $3:dbus send_msg;
-+ allow $3 gkeyringd_$1_t:dbus send_msg;
++ allow $1_gkeyringd_t $3:dbus send_msg;
++ allow $3 $1_gkeyringd_t:dbus send_msg;
+ optional_policy(`
-+ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t)
-+ dbus_session_bus_client(gkeyringd_$1_t)
-+ gnome_home_dir_filetrans(gkeyringd_$1_t)
-+ gnome_manage_generic_home_dirs(gkeyringd_$1_t)
++ dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
++ dbus_session_bus_client($1_gkeyringd_t)
++ gnome_home_dir_filetrans($1_gkeyringd_t)
++ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+
+ optional_policy(`
-+ telepathy_mission_control_read_state(gkeyringd_$1_t)
++ telepathy_mission_control_read_state($1_gkeyringd_t)
+ ')
+ ')
+')
@@ -3853,7 +3883,7 @@ index f5afe78..65118f7 100644
## in the caller domain.
## </summary>
## <param name="domain">
-@@ -56,27 +534,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +536,26 @@ interface(`gnome_exec_gconf',`
########################################
## <summary>
@@ -3889,7 +3919,7 @@ index f5afe78..65118f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +561,41 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +563,41 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -3942,7 +3972,7 @@ index f5afe78..65118f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +603,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +605,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -3959,7 +3989,7 @@ index f5afe78..65118f7 100644
')
########################################
-@@ -151,40 +633,328 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +635,328 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -6470,10 +6500,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..e4db34a
+index 0000000..6cc919e
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,323 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -6592,6 +6622,7 @@ index 0000000..e4db34a
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
++dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
@@ -7025,7 +7056,7 @@ index 2ba7787..9f12b51 100644
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..1773e24 100644
+index c2d20a2..ae61e3c 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7076,10 +7107,10 @@ index c2d20a2..1773e24 100644
')
+
+optional_policy(`
-+ sandbox_manage_tmpfs_files(pulseaudio_t)
++ qemu_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..429b9ce 100644
+index c1d5f50..85fb63b 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -98,61 +98,40 @@ template(`qemu_domain_template',`
@@ -7244,7 +7275,7 @@ index c1d5f50..429b9ce 100644
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -308,3 +345,24 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +345,42 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -7268,9 +7299,27 @@ index c1d5f50..429b9ce 100644
+ domain_entry_file($1, qemu_exec_t)
+')
+
++########################################
++## <summary>
++## allow domain to manage
++## qemu tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`qemu_manage_tmpfs_files',`
++ gen_require(`
++ attribute qemu_tmpfs_type;
++ ')
++
++ allow $1 qemu_tmpfs_type:file manage_file_perms;
++')
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..6f02ecd 100644
+index 5ef2f7d..c01d37c 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -7301,7 +7350,7 @@ index 5ef2f7d..6f02ecd 100644
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
-@@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',`
+@@ -90,10 +91,18 @@ tunable_policy(`qemu_use_usb',`
')
optional_policy(`
@@ -7312,18 +7361,28 @@ index 5ef2f7d..6f02ecd 100644
')
optional_policy(`
-@@ -102,6 +105,10 @@ optional_policy(`
++ pulseaudio_manage_home_files(qemu_t)
++ pulseaudio_stream_connect(qemu_t)
++')
++
++optional_policy(`
++ virt_manage_home_files(qemu_t)
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+ ')
+@@ -102,6 +111,11 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
+optional_policy(`
-+ xen_rw_image_files(qemu_t)
++ xserver_read_xdm_pid(qemu_t)
++ xserver_stream_connect(qemu_t)
+')
+
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +119,8 @@ optional_policy(`
+@@ -112,6 +126,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -9447,7 +9506,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..e65d58a 100644
+index 34c9d01..4593351 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -9513,7 +9572,15 @@ index 34c9d01..e65d58a 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +316,7 @@ ifdef(`distro_redhat', `
+@@ -283,6 +292,7 @@ ifdef(`distro_gentoo',`
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -307,6 +317,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -9521,7 +9588,7 @@ index 34c9d01..e65d58a 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +326,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +327,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9557,10 +9624,44 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 5a07a43..e97e47f 100644
+index 5a07a43..99c7564 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
+@@ -32,6 +32,33 @@ interface(`corenet_port',`
+
+ ########################################
+ ## <summary>
++## Define type to be a network node type
++## </summary>
++## <desc>
++## <p>
++## Define type to be a network node type
++## </p>
++## <p>
++## This is for supporting third party modules and its
++## use is not allowed in upstream reference policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Type to be used for network nodes.
++## </summary>
++## </param>
++#
++interface(`corenet_node',`
++ gen_require(`
++ attribute node_type;
++ ')
++
++ typeattribute $1 node_type;
++')
++
++########################################
++## <summary>
+ ## Define network type to be a reserved port (lt 1024)
+ ## </summary>
+ ## <desc>
+@@ -86,6 +113,33 @@ interface(`corenet_rpc_port',`
########################################
## <summary>
@@ -9594,7 +9695,7 @@ index 5a07a43..e97e47f 100644
## Define type to be a network client packet type
## </summary>
## <desc>
-@@ -2168,9 +2195,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2168,9 +2222,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -9609,7 +9710,7 @@ index 5a07a43..e97e47f 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2522,6 +2554,30 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2522,6 +2581,30 @@ interface(`corenet_all_recvfrom_netlabel',`
########################################
## <summary>
@@ -9641,7 +9742,7 @@ index 5a07a43..e97e47f 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..5a4a625 100644
+index 0757523..a364fde 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9706,7 +9807,7 @@ index 0757523..5a4a625 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -86,6 +105,7 @@ network_port(clamd, tcp,3310,s0)
+@@ -86,9 +105,11 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -9714,7 +9815,11 @@ index 0757523..5a4a625 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -96,9 +116,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
++network_port(daap, tcp,3689,s0, udp,3689,s0)
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
+@@ -96,9 +117,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -9727,7 +9832,7 @@ index 0757523..5a4a625 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -112,7 +135,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -112,7 +136,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -9736,7 +9841,7 @@ index 0757523..5a4a625 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +149,58 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +150,58 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9799,7 +9904,7 @@ index 0757523..5a4a625 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +215,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +216,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -9833,7 +9938,7 @@ index 0757523..5a4a625 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +248,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +249,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -9854,7 +9959,7 @@ index 0757523..5a4a625 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +320,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +321,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -9884,7 +9989,7 @@ index 6cf8784..286aec1 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..0d86b0f 100644
+index e9313fb..0b844f8 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10183,6 +10288,30 @@ index e9313fb..0d86b0f 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
+@@ -4748,3 +4838,23 @@ interface(`dev_unconfined',`
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Dontaudit getattr on all device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_all',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
++')
++
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 3ff4f60..89ffda6 100644
--- a/policy/modules/kernel/devices.te
@@ -13367,7 +13496,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..f0ca9f2 100644
+index 2be17d2..9440b5f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -13442,7 +13571,7 @@ index 2be17d2..f0ca9f2 100644
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+ gnome_role_gkeyringd(staff, staff_r, staff_t)
-+ permissive gkeyringd_staff_t;
++ permissive staff_gkeyringd_t;
+')
+
+optional_policy(`
@@ -13582,7 +13711,7 @@ index 2be17d2..f0ca9f2 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +313,8 @@ ifndef(`distro_redhat',`
+@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -13590,7 +13719,6 @@ index 2be17d2..f0ca9f2 100644
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(staff_usertype)
+')
-+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4a8d146..d721e34 100644
--- a/policy/modules/roles/sysadm.te
@@ -16998,7 +17126,7 @@ index 6480167..09c61a0 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..da3eab1 100644
+index 3136c6a..700b734 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -17324,7 +17452,18 @@ index 3136c6a..da3eab1 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +440,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
+
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -355,6 +441,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -17332,7 +17471,7 @@ index 3136c6a..da3eab1 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +451,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +452,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -17343,7 +17482,7 @@ index 3136c6a..da3eab1 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +466,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +467,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -17359,7 +17498,7 @@ index 3136c6a..da3eab1 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +479,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +480,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -17367,7 +17506,7 @@ index 3136c6a..da3eab1 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +491,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +492,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -17378,7 +17517,7 @@ index 3136c6a..da3eab1 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +509,73 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +510,73 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -17454,7 +17593,7 @@ index 3136c6a..da3eab1 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +588,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +589,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -17465,7 +17604,7 @@ index 3136c6a..da3eab1 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +602,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +603,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -17495,7 +17634,7 @@ index 3136c6a..da3eab1 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +632,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +633,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -17512,7 +17651,7 @@ index 3136c6a..da3eab1 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +657,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +658,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -17523,7 +17662,7 @@ index 3136c6a..da3eab1 100644
')
optional_policy(`
-@@ -513,7 +672,13 @@ optional_policy(`
+@@ -513,7 +673,13 @@ optional_policy(`
')
optional_policy(`
@@ -17538,7 +17677,7 @@ index 3136c6a..da3eab1 100644
')
optional_policy(`
-@@ -528,7 +693,18 @@ optional_policy(`
+@@ -528,7 +694,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -17558,7 +17697,7 @@ index 3136c6a..da3eab1 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +713,13 @@ optional_policy(`
+@@ -537,8 +714,13 @@ optional_policy(`
')
optional_policy(`
@@ -17573,7 +17712,7 @@ index 3136c6a..da3eab1 100644
')
')
-@@ -556,7 +737,13 @@ optional_policy(`
+@@ -556,7 +738,13 @@ optional_policy(`
')
optional_policy(`
@@ -17587,7 +17726,7 @@ index 3136c6a..da3eab1 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +754,7 @@ optional_policy(`
+@@ -567,6 +755,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -17595,7 +17734,7 @@ index 3136c6a..da3eab1 100644
')
optional_policy(`
-@@ -577,6 +765,16 @@ optional_policy(`
+@@ -577,6 +766,16 @@ optional_policy(`
')
optional_policy(`
@@ -17612,7 +17751,7 @@ index 3136c6a..da3eab1 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +789,11 @@ optional_policy(`
+@@ -591,6 +790,11 @@ optional_policy(`
')
optional_policy(`
@@ -17624,7 +17763,7 @@ index 3136c6a..da3eab1 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +806,11 @@ optional_policy(`
+@@ -603,6 +807,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -17636,7 +17775,7 @@ index 3136c6a..da3eab1 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +826,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +827,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -17647,7 +17786,7 @@ index 3136c6a..da3eab1 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +866,29 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +867,29 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -17690,7 +17829,7 @@ index 3136c6a..da3eab1 100644
')
########################################
-@@ -699,17 +912,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +913,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -17716,7 +17855,7 @@ index 3136c6a..da3eab1 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +958,26 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +959,26 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -17744,7 +17883,7 @@ index 3136c6a..da3eab1 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1000,25 @@ optional_policy(`
+@@ -769,6 +1001,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -17770,7 +17909,7 @@ index 3136c6a..da3eab1 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1039,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1040,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -17788,7 +17927,7 @@ index 3136c6a..da3eab1 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1058,49 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1059,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -17844,7 +17983,7 @@ index 3136c6a..da3eab1 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1108,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1109,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -17875,7 +18014,7 @@ index 3136c6a..da3eab1 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1143,20 @@ optional_policy(`
+@@ -842,10 +1144,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -17896,7 +18035,7 @@ index 3136c6a..da3eab1 100644
')
########################################
-@@ -891,11 +1202,21 @@ optional_policy(`
+@@ -891,11 +1203,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -20799,10 +20938,10 @@ index 0000000..0a83e88
+/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
new file mode 100644
-index 0000000..38cb883
+index 0000000..939d76e
--- /dev/null
+++ b/policy/modules/services/colord.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,60 @@
+
+## <summary>policy for colord</summary>
+
@@ -20845,6 +20984,24 @@ index 0000000..38cb883
+ allow colord_t $1:dbus send_msg;
+')
+
++######################################
++## <summary>
++## Read colord lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`colord_read_lib_files',`
++ gen_require(`
++ type colord_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
++')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
index 0000000..173e56f
@@ -23113,7 +23270,7 @@ index f706b99..22b862e 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..0d11034 100644
+index f231f17..beb0163 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -23232,15 +23389,19 @@ index f231f17..0d11034 100644
term_use_all_terms(devicekit_power_t)
-@@ -227,6 +259,7 @@ miscfiles_read_localization(devicekit_power_t)
+@@ -225,8 +257,11 @@ auth_use_nsswitch(devicekit_power_t)
+ miscfiles_read_localization(devicekit_power_t)
+
++seutil_exec_setfiles(devicekit_power_t)
++
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +268,10 @@ optional_policy(`
+@@ -235,6 +270,10 @@ optional_policy(`
')
optional_policy(`
@@ -23251,7 +23412,7 @@ index f231f17..0d11034 100644
cron_initrc_domtrans(devicekit_power_t)
')
-@@ -261,14 +298,21 @@ optional_policy(`
+@@ -261,14 +300,21 @@ optional_policy(`
')
optional_policy(`
@@ -23274,7 +23435,7 @@ index f231f17..0d11034 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +320,25 @@ optional_policy(`
+@@ -276,9 +322,25 @@ optional_policy(`
')
optional_policy(`
@@ -36123,10 +36284,10 @@ index 0000000..c403abc
+')
diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644
-index 0000000..8763ea6
+index 0000000..4c6848c
--- /dev/null
+++ b/policy/modules/services/qpidd.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
+policy_module(qpidd, 1.0.0)
+
+########################################
@@ -36176,6 +36337,7 @@ index 0000000..8763ea6
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
++corenet_tcp_bind_matahari_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
@@ -36851,15 +37013,16 @@ index 00fa514..1ef4cc6 100644
mysql_stream_connect(rgmanager_t)
')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..d862e7e 100644
+index c2ba53b..853eeb5 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
-@@ -1,14 +1,17 @@
+@@ -1,14 +1,18 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -37041,7 +37204,7 @@ index de37806..229a3c7 100644
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..3360a6c 100644
+index 93c896a..4930f2d 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
@@ -37063,7 +37226,17 @@ index 93c896a..3360a6c 100644
rhcs_domain_template(dlm_controld)
-@@ -33,6 +35,10 @@ rhcs_domain_template(qdiskd)
+@@ -24,6 +26,9 @@ files_lock_file(fenced_lock_t)
+ type fenced_tmp_t;
+ files_tmp_file(fenced_tmp_t)
+
++rhcs_domain_template(foghorn)
++permissive foghorn_t;
++
+ rhcs_domain_template(gfs_controld)
+
+ rhcs_domain_template(groupd)
+@@ -33,6 +38,10 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -37074,7 +37247,7 @@ index 93c896a..3360a6c 100644
#####################################
#
# dlm_controld local policy
-@@ -55,20 +61,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -55,20 +64,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -37097,7 +37270,7 @@ index 93c896a..3360a6c 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,7 +85,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,7 +88,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -37108,7 +37281,7 @@ index 93c896a..3360a6c 100644
corenet_tcp_connect_http_port(fenced_t)
-@@ -104,9 +110,13 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -104,9 +113,13 @@ tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
@@ -37123,7 +37296,30 @@ index 93c896a..3360a6c 100644
')
optional_policy(`
-@@ -120,7 +130,6 @@ optional_policy(`
+@@ -114,13 +127,29 @@ optional_policy(`
+ lvm_read_config(fenced_t)
+ ')
+
++#######################################
++#
++# foghorn local policy
++#
++
++allow foghorn_t self:process { signal };
++
++files_read_etc_files(foghorn_t)
++
++optional_policy(`
++ dbus_connect_system_bus(foghorn_t)
++')
++
++optional_policy(`
++ snmp_read_snmp_var_lib_files(foghorn_t)
++')
++
+ ######################################
+ #
+ # gfs_controld local policy
#
allow gfs_controld_t self:capability { net_admin sys_resource };
@@ -37131,7 +37327,7 @@ index 93c896a..3360a6c 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +168,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -37142,7 +37338,7 @@ index 93c896a..3360a6c 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +159,10 @@ optional_policy(`
+@@ -154,9 +179,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -37154,7 +37350,7 @@ index 93c896a..3360a6c 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +174,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +194,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -37164,7 +37360,7 @@ index 93c896a..3360a6c 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +204,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +224,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -37173,7 +37369,7 @@ index 93c896a..3360a6c 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +214,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +234,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -37184,7 +37380,7 @@ index 93c896a..3360a6c 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +226,28 @@ optional_policy(`
+@@ -223,18 +246,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -41578,7 +41774,7 @@ index 54b8605..752697f 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..b3983a9 100644
+index db9d2a5..1aebd23 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
@@ -41589,6 +41785,15 @@ index db9d2a5..b3983a9 100644
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+@@ -39,7 +40,7 @@ kernel_read_system_state(tuned_t)
+ kernel_read_network_state(tuned_t)
+
+ dev_read_urand(tuned_t)
+-dev_read_sysfs(tuned_t)
++dev_rw_sysfs(tuned_t)
+ # to allow cpu tuning
+ dev_rw_netcontrol(tuned_t)
+
@@ -58,6 +59,10 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -42046,7 +42251,7 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..508a480 100644
+index 7c5d8d8..d885f6b 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,14 @@
@@ -42298,7 +42503,7 @@ index 7c5d8d8..508a480 100644
')
########################################
-@@ -516,3 +589,87 @@ interface(`virt_admin',`
+@@ -516,3 +589,107 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -42386,6 +42591,26 @@ index 7c5d8d8..508a480 100644
+
+ allow $1 virt_domain:process signal;
+')
++
++########################################
++## <summary>
++## Manage virt home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_manage_home_files',`
++ gen_require(`
++ type virt_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
++')
++
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..a541a0a 100644
--- a/policy/modules/services/virt.te
@@ -44388,7 +44613,7 @@ index 130ced9..33c8170 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..4bd148a 100644
+index 6c01261..4f1be57 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -45069,7 +45294,7 @@ index 6c01261..4bd148a 100644
')
optional_policy(`
-@@ -527,6 +784,15 @@ optional_policy(`
+@@ -527,6 +784,16 @@ optional_policy(`
')
optional_policy(`
@@ -45077,6 +45302,7 @@ index 6c01261..4bd148a 100644
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
++ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+ gnome_transition_gkeyringd(xdm_t)
+')
@@ -45085,7 +45311,7 @@ index 6c01261..4bd148a 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +810,65 @@ optional_policy(`
+@@ -544,28 +811,65 @@ optional_policy(`
')
optional_policy(`
@@ -45160,7 +45386,7 @@ index 6c01261..4bd148a 100644
')
optional_policy(`
-@@ -577,6 +880,14 @@ optional_policy(`
+@@ -577,6 +881,14 @@ optional_policy(`
')
optional_policy(`
@@ -45175,7 +45401,7 @@ index 6c01261..4bd148a 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +912,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +913,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -45184,7 +45410,7 @@ index 6c01261..4bd148a 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +926,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +927,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -45200,7 +45426,7 @@ index 6c01261..4bd148a 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +953,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +954,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -45222,7 +45448,7 @@ index 6c01261..4bd148a 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +973,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +974,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -45230,7 +45456,7 @@ index 6c01261..4bd148a 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1000,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1001,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -45238,7 +45464,7 @@ index 6c01261..4bd148a 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1009,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1010,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -45256,7 +45482,7 @@ index 6c01261..4bd148a 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1030,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1031,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -45270,7 +45496,7 @@ index 6c01261..4bd148a 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1049,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1050,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -45279,7 +45505,7 @@ index 6c01261..4bd148a 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1056,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1057,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -45294,7 +45520,7 @@ index 6c01261..4bd148a 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1115,36 @@ optional_policy(`
+@@ -780,16 +1116,36 @@ optional_policy(`
')
optional_policy(`
@@ -45332,7 +45558,7 @@ index 6c01261..4bd148a 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1153,10 @@ optional_policy(`
+@@ -798,6 +1154,10 @@ optional_policy(`
')
optional_policy(`
@@ -45343,7 +45569,7 @@ index 6c01261..4bd148a 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -45357,7 +45583,7 @@ index 6c01261..4bd148a 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -45366,7 +45592,7 @@ index 6c01261..4bd148a 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1196,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1197,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -45376,7 +45602,7 @@ index 6c01261..4bd148a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1206,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1207,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -45388,7 +45614,7 @@ index 6c01261..4bd148a 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1219,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1220,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -45405,7 +45631,7 @@ index 6c01261..4bd148a 100644
')
optional_policy(`
-@@ -864,6 +1234,10 @@ optional_policy(`
+@@ -864,6 +1235,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -45416,7 +45642,7 @@ index 6c01261..4bd148a 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1282,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -45425,7 +45651,7 @@ index 6c01261..4bd148a 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1335,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1336,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -45457,7 +45683,7 @@ index 6c01261..4bd148a 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1381,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1382,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -48443,7 +48669,7 @@ index 8232f91..8897e32 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..c214645 100644
+index 98d6081..dc6114a 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,7 +73,7 @@ role system_r types setkey_t;
@@ -48467,15 +48693,17 @@ index 98d6081..c214645 100644
can_exec(ipsec_t, ipsec_mgmt_exec_t)
-@@ -108,7 +109,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
+@@ -108,8 +109,8 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+-allow ipsec_mgmt_t ipsec_t:process sigchld;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
- allow ipsec_mgmt_t ipsec_t:process sigchld;
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
kernel_read_kernel_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -49363,13 +49591,15 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..4906577 100644
+index 571599b..9effaeb 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,6 +17,11 @@
+@@ -17,6 +17,13 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
@@ -49378,7 +49608,7 @@ index 571599b..4906577 100644
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -25,6 +30,7 @@
+@@ -25,6 +32,7 @@
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -49386,7 +49616,7 @@ index 571599b..4906577 100644
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -37,13 +43,14 @@ ifdef(`distro_suse', `
+@@ -37,13 +45,14 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -49402,7 +49632,7 @@ index 571599b..4906577 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,18 +61,24 @@ ifdef(`distro_redhat',`
+@@ -54,18 +63,24 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -49581,7 +49811,7 @@ index c7cfb62..6160239 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..7ea0ae3 100644
+index 9b5a9ed..67bcfc3 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -55,11 +55,12 @@ type klogd_var_run_t;
@@ -49661,14 +49891,21 @@ index 9b5a9ed..7ea0ae3 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -340,6 +363,7 @@ optional_policy(`
+@@ -338,11 +361,12 @@ optional_policy(`
+ # chown fsetid for syslog-ng
+ # sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
- allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
# setrlimit for syslog-ng
- allow syslogd_t self:process { signal_perms setpgid setrlimit };
+-allow syslogd_t self:process { signal_perms setpgid setrlimit };
++allow syslogd_t self:process { signal_perms setpgid setsched setrlimit };
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -360,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -49693,15 +49930,17 @@ index 9b5a9ed..7ea0ae3 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +443,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,6 +443,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
++# relating to systemd-kmsg-syslogd
++dev_write_kmsg(syslogd_t)
domain_use_interactive_fds(syslogd_t)
-@@ -480,6 +512,10 @@ optional_policy(`
+@@ -480,6 +514,10 @@ optional_policy(`
')
optional_policy(`
@@ -49712,7 +49951,7 @@ index 9b5a9ed..7ea0ae3 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +524,10 @@ optional_policy(`
+@@ -488,6 +526,10 @@ optional_policy(`
')
optional_policy(`
@@ -52497,10 +52736,10 @@ index 0000000..1d17a7b
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..39f326a
+index 0000000..6c68924
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,153 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -52577,6 +52816,8 @@ index 0000000..39f326a
+
+kernel_read_network_state(systemd_tmpfiles_t)
+
++dev_write_kmsg(systemd_tmpfiles_t)
++
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
@@ -53687,7 +53928,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..3e329c7 100644
+index 28b88de..eb1ad51 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -54258,7 +54499,7 @@ index 28b88de..3e329c7 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +650,114 @@ template(`userdom_common_user_template',`
+@@ -574,67 +650,118 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -54276,11 +54517,15 @@ index 28b88de..3e329c7 100644
+
+ optional_policy(`
+ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
@@ -54349,24 +54594,24 @@ index 28b88de..3e329c7 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ lircd_stream_connect($1_usertype)
+ ')
+
@@ -54391,7 +54636,7 @@ index 28b88de..3e329c7 100644
')
optional_policy(`
-@@ -650,41 +773,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +777,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -54423,48 +54668,50 @@ index 28b88de..3e329c7 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
+
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
')
#######################################
-@@ -712,13 +844,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +848,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -54475,9 +54722,7 @@ index 28b88de..3e329c7 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -54485,7 +54730,7 @@ index 28b88de..3e329c7 100644
userdom_change_password_template($1)
-@@ -736,72 +881,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +885,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -54552,10 +54797,10 @@ index 28b88de..3e329c7 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -54594,7 +54839,7 @@ index 28b88de..3e329c7 100644
')
')
-@@ -833,6 +977,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +981,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -54604,7 +54849,7 @@ index 28b88de..3e329c7 100644
##############################
#
# Local policy
-@@ -874,45 +1021,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1025,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -54680,26 +54925,27 @@ index 28b88de..3e329c7 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
- ')
++ ')
optional_policy(`
-- cups_dbus_chat($1_t)
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -54709,10 +54955,9 @@ index 28b88de..3e329c7 100644
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -54729,7 +54974,7 @@ index 28b88de..3e329c7 100644
')
')
-@@ -947,7 +1162,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1166,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -54738,7 +54983,7 @@ index 28b88de..3e329c7 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1171,78 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1175,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -54777,6 +55022,11 @@ index 28b88de..3e329c7 100644
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
++
++ tunable_policy(`user_share_music',`
++ corenet_tcp_bind_daap_port($1_usertype)
++ ')
++
tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
@@ -54828,26 +55078,26 @@ index 28b88de..3e329c7 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ wine_role_template($1, $1_r, $1_t)
++ postfix_run_postdrop($1_t, $1_r)
')
++ # Run pppd in pppd_t by default for user
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ postfix_run_postdrop($1_t, $1_r)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1278,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1287,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -54856,7 +55106,7 @@ index 28b88de..3e329c7 100644
')
##############################
-@@ -1066,6 +1305,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1314,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -54864,7 +55114,7 @@ index 28b88de..3e329c7 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1314,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1323,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -54874,7 +55124,7 @@ index 28b88de..3e329c7 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1331,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1340,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -54882,7 +55132,7 @@ index 28b88de..3e329c7 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1349,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1358,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -54896,7 +55146,7 @@ index 28b88de..3e329c7 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1366,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1375,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -54916,7 +55166,7 @@ index 28b88de..3e329c7 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1392,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1401,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -54928,7 +55178,7 @@ index 28b88de..3e329c7 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1464,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1473,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -54937,7 +55187,7 @@ index 28b88de..3e329c7 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1478,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1487,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -54945,7 +55195,7 @@ index 28b88de..3e329c7 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1494,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1503,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -54953,7 +55203,7 @@ index 28b88de..3e329c7 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1537,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1546,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -54991,7 +55241,7 @@ index 28b88de..3e329c7 100644
ubac_constrained($1)
')
-@@ -1395,6 +1679,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1688,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -54999,7 +55249,7 @@ index 28b88de..3e329c7 100644
files_search_home($1)
')
-@@ -1441,6 +1726,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1735,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -55014,7 +55264,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1456,9 +1749,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1758,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -55026,7 +55276,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1515,10 +1810,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1819,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -55039,7 +55289,7 @@ index 28b88de..3e329c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,31 +1821,67 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,25 +1830,61 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -55066,12 +55316,6 @@ index 28b88de..3e329c7 100644
-## Do a domain transition to the specified
-## domain when executing a program in the
-## user home directory.
--## </p>
--## <p>
--## No interprocess communication (signals, pipes,
--## etc.) is provided by this interface since
--## the domains are not owned by this module.
--## </p>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -55116,16 +55360,10 @@ index 28b88de..3e329c7 100644
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
- ## </desc>
- ## <param name="source_domain">
- ## <summary>
-@@ -1589,6 +1920,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## </p>
+ ## <p>
+ ## No interprocess communication (signals, pipes,
+@@ -1589,6 +1929,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -55134,7 +55372,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1603,10 +1936,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1945,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -55149,7 +55387,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1649,6 +1984,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1993,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -55175,7 +55413,7 @@ index 28b88de..3e329c7 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2054,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2063,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -55208,7 +55446,7 @@ index 28b88de..3e329c7 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2090,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2099,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -55226,7 +55464,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1810,8 +2187,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2196,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -55236,7 +55474,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -1827,20 +2203,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2212,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -55250,18 +55488,19 @@ index 28b88de..3e329c7 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2182,7 +2552,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2561,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -55270,7 +55509,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -2435,13 +2805,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2814,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -55286,7 +55525,7 @@ index 28b88de..3e329c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2833,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2842,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -55313,7 +55552,7 @@ index 28b88de..3e329c7 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3166,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3175,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -55322,7 +55561,7 @@ index 28b88de..3e329c7 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3182,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3191,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -55338,7 +55577,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -2917,7 +3270,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3279,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -55347,7 +55586,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -2972,7 +3325,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3334,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -55394,7 +55633,7 @@ index 28b88de..3e329c7 100644
')
########################################
-@@ -3009,6 +3400,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3409,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -55402,7 +55641,7 @@ index 28b88de..3e329c7 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3531,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3540,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -56462,7 +56701,7 @@ index 28b88de..3e329c7 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..2333dd8 100644
+index df29ca1..2a5c03d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -56474,10 +56713,17 @@ index df29ca1..2333dd8 100644
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
-@@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false)
+@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
++## Allow user music sharing
++## </p>
++## </desc>
++gen_tunable(user_share_music, false)
++
++## <desc>
++## <p>
+## Allow user processes to change their priority
+## </p>
+## </desc>
@@ -56488,7 +56734,7 @@ index df29ca1..2333dd8 100644
## Allow w to display everyone
## </p>
## </desc>
-@@ -59,6 +66,19 @@ attribute unpriv_userdomain;
+@@ -59,6 +73,19 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -56508,7 +56754,7 @@ index df29ca1..2333dd8 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +91,54 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,54 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9def135..22c44e0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,24 @@ exit 0
%endif
%changelog
+* Tue Mar 22 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-6
+- Add syslogd_exec_t label for systemd-kmsg-syslogd
+- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
+- Allow rythmbox and other apps to share music over daap port
+- Allow qemu and pulseaudio to work together
+- Allow httpd to create socket file in /tmp
+- Allow tuned to write to sysfs
+- Allow systemd_tmpfiles to send kernel messages
+- Add a dev_filetrans to readahead_manage_pid_files so any callers can create directories and files in /dev with this label
+- mrtg needs to be able to create /var/lock/mrtg
+- Add label for /usr/share/shorewall/getparams
+- xdm needs to read KDE config files
+- Smolt needs to look at urand and read hwdata
+- google talk plugin in nsplugin is listing the contents
+- Add support for KDE ksysguardprocesslist_helper
+- Add support for a new cluster service - foghorn
+- gnome-control-center reads colord lib files when monitor is plugged
+
* Thu Mar 17 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-5
- Fix multiple specification for boot.log
- devicekit leaks file descriptors to setfiles_t
More information about the scm-commits
mailing list